SessionManager opens the backdoor to systems


Malware that provides a backdoor to Microsoft Exchange servers has been used in attacks on government servers and military organizations in Europe, the Middle East, Asia and Africa. The malware is difficult to trace, making its removal a problem, security researchers say.

The malware, known as SessionManager, is a malicious code module for Microsoft’s Internet Information Services (IIS) web server software, which is part of Exchange systems.

Session Manager affects Microsoft Outlook Exchange servers. (Photo illustration by Jakub Porzycki/NurPhoto via Getty Images)

What is Microsoft Exchange SessionManager malware?

Once deployed on a Microsoft Exchange server, SessionManager enables a wide range of malicious activities such as accessing email, taking control of secondary systems and delivering other malware, according to a report by security firm Kaspersky. The backdoor will allow “persistent, update-resistant, and stealthy access” to an IT organization’s IT infrastructure, she adds.

Session Manager seems difficult to spot. According to a scan conducted by Kaspersky researchers, the malware is still present in the systems of 90% of the companies that were alerted to it when Session Manager was first discovered earlier this year.

The criminals using the malware have shown a particular interest in NGOs and government agencies, and compromised a total of 34 servers from 24 organizations across Europe, the Middle East, South Asia and Africa, Kaspersky says.

Vulnerabilities in Microsoft Exchange servers are a major target for criminals

Vulnerabilities in Exchange servers are an increasingly popular target for hackers. tech monitor has reported security vulnerabilities, including the Hafnium vulnerability, which affected thousands of email servers over the past year. Exchange issues made up three of the ten most exploited vulnerabilities of 2021, according to the Five Eyes security alliance. Exchange was the only system to make the top ten more than once.

According to Kaspersky, closely monitoring servers is the only way to stay ahead of cybercriminals. “In the case of Exchange servers, we cannot stress this enough: the past year’s vulnerabilities have made them perfect targets for whatever the malicious intent, so they should be carefully scrutinized and monitored for hidden implants if they aren’t.” already are,” said Pierre Delcher, senior security researcher in Kaspersky’s global research and analytics team.

Content from our partners
Webinar - Top 3 Ways to Incorporate Security into DevOps
The tech sector is making strides in diversity, but the strides need to be accelerated
How to strengthen finance functions and leverage technology for future-proof operational capabilities

In fact, Delcher notes that the sheer volume of such attacks means removing the malware from networks will be a long task. “With the massive and unprecedented exploitation of server-side vulnerabilities, most cybersecurity actors have been busy investigating and responding to the first identified breaches,” he said. “As a result, it’s still possible to detect corresponding malicious activity months or years later, and it’s likely to remain so for a long time to come.”

The malware is believed to be deployed by Gelsemium, a hacking gang active since 2014 that has mainly targeted organizations in Asia and the Middle East.

The Kaspersky team recommends regularly checking loaded ISS modules on exposed ISS servers and focusing on detecting lateral movement and data exfiltration within the system, paying special attention to outbound traffic.

“Threat intelligence is the only component that enables reliable and timely anticipation of such threats,” agrees Delcher. “Gaining visibility into current and current cyber threats is paramount for organizations to protect their assets. Such attacks can result in significant financial or reputational damage and disrupt a target’s operations.”

Read more: Microsoft patches vulnerability in Follina Office 365


About Author

Comments are closed.